Wireshark is commonly known for network packet capture, but it’s also an excellent tool to monitor USB communication between your system and connected devices. This is especially useful when debugging:
- Custom USB drivers
- USB-to-serial devices
- HID devices (mouse, keyboard)
- Embedded USB communication
Unlike Ethernet interfaces, capturing USB traffic requires special preparation. This guide walks you through capturing USB packets using Wireshark on Ubuntu/Linux with all the required setup, commands, and example use cases.
✅ Step 1: Install Wireshark on Ubuntu
If not already installed, start with:
sudo apt update
sudo apt install wireshark -y
Explanation:
Installs the GUI and CLI tools for Wireshark. During installation, if prompted about allowing non-root users to capture packets, choose Yes.
To let your user access capture interfaces:
sudo usermod -aG wireshark $USER
newgrp wireshark
📘 Step 2: Enable USB Packet Capture Support
USB capture is only available on Linux, and it uses the usbmon interface provided by the kernel.
Check if usbmon module is loaded:
lsmod | grep usbmon
If it’s not listed, load it with:
sudo modprobe usbmon
You should now see virtual interfaces like usbmon0, usbmon1, etc., under:
ls /sys/kernel/debug/usb/usbmon/
To inspect manually:
sudo mount -t debugfs none /sys/kernel/debug
Explanation:
The usbmon kernel module exposes USB traffic for tools like Wireshark and tcpdump. Each usbmonX represents a USB bus.
✏️ Step 3: Start Wireshark and Select USB Interface
Launch Wireshark:
wireshark &
In the interface selection screen, you should now see entries like:
usbmon0
usbmon1
usbmon2
- Select the appropriate
usbmonXinterface that corresponds to the USB device you want to analyze. - Click Start Capture.
Once active, you’ll see packets with protocols like URB_BULK, URB_CONTROL, URB_INTERRUPT.
🧪 Optional: Filter USB Packets by Device
To filter USB traffic to/from a specific device, first identify its vendor ID and product ID:
lsusb
Bus 001 Device 005: ID 1a86:7523 QinHeng Electronics HL-340 USB-Serial adapter
Now in Wireshark, use a display filter:
usb.device_address == 5
or filter by content:
usb.capdata
Explanation:
These filters help narrow down specific USB communications among potentially noisy traffic from all USB buses.
🔄 Step 4: Capture USB Data in CLI (Optional)
If you prefer terminal-based capture:
sudo tshark -i usbmon1 -w usb_log.pcap
Explanation:tshark is the CLI equivalent of Wireshark. This command captures packets from usbmon1 and saves them to a .pcap file.
You can later open this file in Wireshark GUI:
wireshark usb_log.pcap
⚠️ Common Errors and Fixes
| Issue | Cause / Fix |
|---|---|
| No usbmon interfaces in Wireshark | Load module with sudo modprobe usbmon |
| “Permission denied” on capture | Add user to wireshark group + relogin |
| Not seeing device traffic | Select the correct usbmon interface / use filters |
| Only seeing URB_SUBMIT not response | Some devices use bulk endpoints; increase buffer or capture size |
🧠 Best Practices for USB Packet Analysis
- Label your device: Disconnect, run
lsusb, reconnect to find the correct address. - Limit the capture scope: Use filters to reduce noise and improve readability.
- Record
.pcapfiles: Always capture to file for repeatable, offline analysis. - Pair with
dmesg/udevadm: Use system logs to correlate events.
🧪 Use Case: Debugging USB-to-Serial Communication
Let’s say you’re testing a USB to TTL serial adapter. You can:
- Plug it in and note the device ID via
lsusb - Start Wireshark on
usbmonX - Use a terminal program like
screenorminicomto send data - Watch the
URB_BULKpackets for actual data bytes
This is helpful when troubleshooting communication mismatches, data loss, or flow control.
Wireshark is not just for network engineers—it’s also a powerful USB protocol analyzer when used with the right tools and kernel modules. Whether you’re debugging firmware, drivers, or USB protocol behavior, learning how to use Wireshark for USB capture will make you a more effective developer.
With a few commands and interface tweaks, you’ll be able to deep-dive into USB packets in real time.
Have you used Wireshark for USB debugging before? Share your device use case or filters you found useful—we’d love to hear your analysis techniques!